California Health Care Data Protection Law Addresses Worker Snooping

Last year, Governor Arnold Schwarzenegger signed into law new data protection laws to prevent health care workers from peeking at celebrities’ medical records, although the legislation strikes at lax data protection practices generally. The scope of the security breaches at the UCLA Medical Center is impressive in terms of the number of people involved, the number of records viewed, and the long time period that elapsed before the breaches were discovered and stopped. A total of 127 employees at UCLA participated in the breaches. One employee of the Center allegedly peeked at the records of 939 patients before being caught. She looked at personal information that included social security numbers. The snooping took place between 2004 and 2008. The exposed celebrities included California First Lady Maria Shriver, actress Farrah Fawcett, singer Britney Spears, and “Cheers” actress Shelley Long. More generally, the California Department of Public Health found 349 confidentiality violations in acute care hospitals affecting 5,235 patients in a two-year period.

On September 30, 2008, the Governor signed two bills, AB 211 and SB 541, to address these security breaches. The two bills bolster the confidentiality protections of the California Confidentiality of Medical Information Act, the federal Health Insurance Portability and Accountability Act (HIPAA), and the Security Rule regulations promulgated under HIPAA.

Every provider of health care shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information. Every provider of health care shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure.

Cal. Health & Safety Code § 130203(a). This section requires more than simply having a security policy. Providers must establish and implement security safeguards. The second sentence imposes a duty to prevent unauthorized access or unlawful access, use, or disclosure. Nonetheless, the word “reasonably” in the second sentence modifies the duty, so that providers are not burdened by an unreasonable requirement to prevent all possible breaches or by a strict liability regime.

AB 211 creates an “Office of Health Information Integrity” within the California Health and Human Services Agency for the purpose of enforcing state confidentiality requirements for medical records and imposing administrative fines on violators. Id. § 130200.

Similar to the federal HIPAA Security Rule regulations, the law takes into account the facts and circumstances of the provider’s business and environment. Accordingly, the law does not impose a “one size fits all” set of requirements on providers. Thus, large, sophisticated hospitals are likely to be held to a higher standard than a solo country doctor.

In exercising its duties pursuant to this division, the office shall consider the provider's capability, complexity, size, and history of compliance with this section and other related state and federal statutes and regulations, the extent to which the provider detected violations and took steps to immediately correct and prevent past violations from reoccurring, and factors beyond the provider's immediate control that restricted the facility's ability to comply with this section.

Id. § 130203(b). Given this language, a number of factors may determine how harsh or lenient that Office of Health Information Integrity treats a health care provider. A history of violations will weigh against the provider, while a clean record would militate in favor of leniency. Moreover, if the provider is the one to detect the breach, correct the vulnerability, and implement steps to prevent future breaches, the Office will be more lenient than in situations where the provider was unaware of the breach, took no action to correct the problem, and/or made no effort to prevent future breaches.

A clinic, health facility, home health agency, or hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined in subdivision (g) of Section 56.05 of the Civil Code and consistent with Section 130203.

Cal. Health & Safety Code § 1280.15(a). Covered entities include clinics, health facilities, home health agencies, and hospices.Under the language of this section, these health care facilities have a duty to prevent breaches, and not simply to implement security safeguards. The duty to prevent breaches must be consistent with Section 130203, and so the legislation attempted to harmonize the two security requirements.

Note that the legislation enacted no language to define “administrative, technical, and physical safeguards” in Section 130203.Nonetheless, the phrase “administrative, technical, and physical safeguards” is the same language used in HIPAA’s Security Rule. Accordingly, a court interpreting this language may very well turn to the HIPAA Security Rule regulations defining administrative, technical, and physical safeguards as persuasive authority for interpreting what these same terms mean for the purposes of Section 130203.

SB 541 also imposes new breach notification requirements on covered entities. The covered entity must report a breach to the Department of Public Health and the affected patients within five days of the detection of the breach. The law triggers a breach notification requirement upon any “unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information.” Cal. Health & Safety Code § 1280.15(b)(1), (b)(2). Note that the breach notification requirement contains no SB 1386-style delay provision permitting postponement of breach notification for the purpose of preventing compromise of a law enforcement criminal investigation. Cal Civil Code § 1798.29(c).

Penalties for violations include a penalty of $25,000 per patient for unauthorized access, use, or disclosure of patients’ records, $17,500 for each subsequent occurrence of access to an affected patient’s records, and $100 per day of delayed reporting of a breach. These penalties are subject to a $250,000 cap per reported event. Cal. Health & Safety Code § 1280.15(a), (c).

Given these new requirements, health care providers and facilities should expand their HIPAA compliance and training programs to include the new AB 211 and SB 541 requirements, strategies for compliance, and risk management strategies accounting for the penalties and liabilities that violations may trigger. They should ensure that their security policies encompass the new requirements, make sure that their incident response and reporting provisions are triggered by violations, and hold their personnel accountable for violations.#

Despite signing AB 211 and SB 541, Governor Schwarzenegger vetoed other data protection legislation. The Governor, for instance, vetoed AB 1656, which would have implemented a law similar to that in Minnesota,# requiring disposal or protection of sensitive credit and debit card information. Governor Schwarzenegger also vetoed SB 364. Both AB 1656 and SB 364 would have required enhanced breach notification following a compromise of card information beyond what is required by SB 1386, including information about the identity of the business holding the information, the types of information compromised, and the date range in which the breach occurred.

# For a full discussion of administrative, technical, and physical safeguards required by HIPAA, see Stephen Wu, A Guide to HIPAA Security and the Law (ABA Press 2007).